For years, we have waited with bated breath the arrival of the “Internet of Things” (IoT) to transform garages into smart factories, cars into autonomous vehicles and ordinary homes into smart homes completely controllable by cellphones. Two technologies underpinning this world of the future (inexpensive sensors and 5G networking) will catalyze this vision in 2020. Gartner predicts that connected devices will rise from 8.4B in 2017 to 20.4B in 2020. While the hurdles for this vision are many (increased regulation, privacy concerns, and the trade war, which may bifurcate the IoT due to geopolitical disputes regarding 5G), the McKinsey Global Institute estimates that IoT technologies will create between $3.9T and $11.1T in economic value globally by 2025. Those interested in capitalizing on this world of the future should be mindful of the legal framework of the future (and near present).
In terms of increased regulation, compliance with the California Consumer Privacy Act has been first and foremost on everyone’s minds, allowing California’s new IoT law to pass under the radar. Effective as of the New Year, California’s IoT law regulates companies that manufacture connected devices sold in the state. Under the new law, a connected device is any device that connects to the internet, directly or indirectly. The new law mandates that manufacturers kit out connected devices with “reasonable” security features that are (i) appropriate to the nature and function of the device, (ii) appropriate to the information the device may collect, and (iii) designed to protect both the device and its information from unauthorized access. This law joins the patchwork quilt of state laws regulating privacy, adding to the voluminous number of state laws that regulate data privacy and security and make companies’ compliance with such laws unnecessarily tedious, expensive and complex. Since 2017, at least fifteen bills regarding IoT security have been introduced in Congress. A national privacy bill is being debated in Washington and will likely pass in 2021.
There is some new guidance to assist companies in interpreting the IoT laws’ standard of reasonableness. In August 2019, the National Institute of Standards and Technology published “Core Cybersecurity Feature Baseline for Securable IoT Devices,” which provides guidance on best practices for mitigating IoT risk. These and similar guidelines promulgated elsewhere provide a framework for companies looking to comply with IoT security laws. Common IoT security guidelines generally include the following:
- Encryption at rest and in transit
- Security by design
- Software and firmware updates
- Security incident logs
- Restricted access to local and network interfaces
- Identification and authentication protocols
In addition to these best practices, it is critical that companies develop and maintain internal policies and processes regarding new legal requirements and compliance with such requirements. One such process is a security impact assessment which enables the company to determine whether any new IoT products and their security features (or lack thereof) run afoul of regulatory security requirements. Companies further must stay up-to-date on pending and passed laws and regulations, as the only certainty in this field is that more regulation is to come. Companies will want to pay particular attention to California, which will lead the country in tech policy next year—from privacy to the IoT to net neutrality to taxation to employment law. Nothing much might happen in Washington in 2020, but the tech industry, like most San Franciscans, should be prepared for the next earthquake to hit in California. Are you ready?